0121 222 5630

Email Aristi Ltd Follow Aristi Ltd on Facebook Follow Aristi Ltd on Twitter Follow Aristi Ltd on LinkedIn

Insights and Updates.
Made for you.

You are here:
Posted on Monday, 13 March 2017

Are you ready for GDPR?.

Written by

Are you ready for GDPR?

The General Data Protection Regulation (GDPR) is a new legal framework that applies in the UK from May 2018. Regardless of Brexit, The UK Government have confirmed that the decision to leave the EU will not affect the commencement of GDPR.

If you are currently subject to the UK Data Protection Act 1998 (DPA), it is likely that you will be subject to the GDPR. If you currently comply with the DPA then most of your approach to compliance will remain valid for the GDPR, but there are some differences in the new regulation such as:

  • The definition of personal data has been extended to include online identifiers such as IP addresses and cookies;
  • Additional obligations on Data Controllers to ensure contracts with Data Processors comply with the GDPR;
  • Consent requires some form of clear affirmative action and must be verifiable;
  • New provisions for the protection of children’s personal data;
  • New rights for individuals;
  • Enhanced requirements for the implementation of comprehensive but proportionate governance measures to minimise the risk of breaches;
  • A duty on all organisations to report certain types of data breaches;
  • The Data Controller is responsible for and should be able to demonstrate compliance with the GDPR principles.

Failure to comply with the GDPR could result in fines of up to 20 million Euros or 4% of global annual turnover, whichever is greater.

The Information Commissioners Office (ICO) has produced some guidance  for organisations but in summary, a GDPR readiness assessment should be conducted to identify any gaps in compliance and plan your approach to GDPR.

The ICO provides a 12 step approach which is summarised below:

  1. Ensure that senior management are aware of the changes and the impact of GDPR. Many organisations believe that information and its security is the responsibility of IT. The business owns the information within the organisation and the associated security risks. A Senior Information Risk Owner (SIRO) should be assigned by the board to act as the point of contact for risk ownership decision making on behalf of the board (although the bard as a whole is still responsible).
  2. Identify and document the personal data you hold. It is good practice to document all data types (financial, operational etc.) but for GDPR, organisations have a responsibility to ensure personal data is accurate. You can’t do this is you don’t know what personal data you hold. Appoint Information Asset Owners (IAOs), typically heads of business areas/departments to take ownership and accountability for data.
  3. GDPR introduces new requirements for privacy statements i.e. what you should tell people when you collect their personal data such as your legal basis for processing the data, your data retention period and the invidual’s right to complain to the ICO if they believe there is an issue with the way you are handling their data. Review your current privacy notices to identify any gaps in compliance and implement a plan to change them if required.
  4. Check your procedures to ensure all the rights of individuals are covered. The main rights for individuals under GDPR are:
    • Subject access
    • To have inaccuracies corrected
    • To have information deleted
    • To prevent direct marketing
    • To prevent automates decision making and profiling
    • Data portability
  5. Organisations currently have 40 days to respond to subject access requests. This has changed to a month under the GDPR and in most cases, you will not be able to charge for complying with a request. Existing data procedures should be updated to account for the new timescales.
  6. Identify your legal basis for data processing and be prepared to explain it in your privacy notice and when you answer a subject access request. The legal bases in the GDPR are broadly similar as those in the DPA but they should be documented to help with compliance with the accountability requirements.
  7. Review how you are seeking, obtaining and recording consent and whether any changes are required to comply with the GDPR. The main new requirement is that consent has to be a positive indication of agreement to personal data being processed. Consent has to be verifiable and Data Controllers must be able to demonstrate that consent was given.
  8. If you collect personal data on children (probably be defined as anyone under 13) then there are some additional requirements under the GDPR. Consider implementing systems to verify ages and the gathering of parental or guardian consent for data processing. The GDPR puts greater emphasis on the protection of children’s personal data particularly in online environments. Privacy notices must be written in language children will understand.
  9. Ensure you have procedures in place for the detection, reporting and investigation of personal data breaches. Where a breach results in some sort of damage to an individual such as identify theft or unauthorised access to personal data, the breach has to be reported to the ICO. In some cases, you will have to notify the data subject(s) of the breach. Failure to notify of a breach could result in a fine as well as the fine for the breach itself.
  10. Implement a process to conduct Privacy Impact Assessments  to identify the most effective way to comply with data protection obligations and meet individuals’ expectations or privacy. PIAs should be part of organisational risk management and project management processes. Identify conditions for when a PIA is required and who would conduct it.
  11. Assign a Data Protection Officer or someone to take responsibility for data protection compliance. This is a requirement for public authorities or organisations that regularly collect and process large quantities of personal data.
  12. If your organisation operates internationally, determine which data protection supervisory authority the organisation comes under. The lead authority is determined according to where your organisation has its administration or where decisions about data processing are made. This authority would take the lead when investigating a complaint involving data processing in a number of Member States.

If you would like some help with your GDPR readiness assessment, contact us at info@aristi.co.uk or call us on 0121 2225630.



Harj Singh is the founder and CEO of Aristi and has over 25 years of experience in the IT and Security industry, gained through technical and managerial roles. Harj has has helped clients in the public and private sectors to develop and implement security strategies and solutions that add value to their business.


Please contact Aristi to discuss your requirements. Filling in the form below is the quickest way to get in touch with the relevant person at Aristi.


Keep up-to-date with insights and info on all areas of Information Assurance, Information Security, Penetration Testing & Data Sharing from the award-winning consultants Aristi.

Latest Tweets

A useful reminder of the data protection obilgations on businesses. Key is to understand the risks and apply approp… https://t.co/9Bhsxk89Jf
Some useful info from the ICO on home working and data security. https://t.co/yWfOWJNxS4
COVID-19 update https://t.co/wRDHY7IR6Q

Subscribe to our Newsletter

Latest Blog Posts

  • Pulse Secure Vulnerability

    Share the post “Pulse Secure Vulnerability” FacebookLinkedInTwitter By Dave Buckley On 16th of April 2020 the CISA released an alert covering continued exploitation of pulse secure VPN’s post patching. This is an update to the original alert the CISA published back in January 2020 which advised organisations to immediately patch CVE-2019-11510. Pulse secure released patches […]

    Written on Thursday, 07 May 2020
  • COVID-19 Update

    Share the post “COVID-19 Update” FacebookLinkedInTwitter Aristi has made preparations to protect our operations from disruptions caused by the Coronavirus (COVID-19) outbreak. Our aim as always is to provide an excellent service to our customers, and we will continue to do so through this uncertain time. We will be monitoring the situation closely and following […]

    Written on Tuesday, 14 April 2020
  • Testing as a Service

    Share the post “Testing as a Service” FacebookLinkedInTwitter Aristi has developed an innovative new cyber security service to give businesses and public sector organisations reassurance that they are doing all they can to defend against hackers. Many organisations conduct annual IT Health Checks to identify security weaknesses in their IT systems. However, a cyber-attack can […]

    Written on Monday, 24 February 2020